Appendix A Audit Record Descriptions

This appendix has two parts. The first part describes each component of an audit
record structure and each audit token structure. The second part defines all of the
audit records generated by the Basic Security Module by event description.

Audit Record Structure

An audit record is a sequence of audit tokens. Each token contains event information
such as user ID, time, and date. A header token begins an audit
record, and an optional trailer concludes the record. Other audit tokens contain audit-relevant
information. Figure A-1 shows a typical audit record.

Figure A-1 Typical Audit Record

Audit Token Structure

Logically, each token has a token type identifier followed by data specific
to the token. Each token type has its own format and structure. The current tokens
are shown in Table A-1. The token scheme can be extended.

An audit record always contains a header token. The header token indicates where the audit record begins in the audit trail.
Every audit record contains a subject token, except for audit records
from some nonattributable events. In the case of attributable events, these two tokens
refer to the values of the process that caused the event. In the case of asynchronous
events, the process tokens refer to the system.

acl token

The acl token records information about ACLs. It consists
of four fixed fields. The fixed fields are: a token ID that identifies this token
as an acl token, a field that specifies the ACL type, an ACL ID
field, and a field that lists the permissions associated with this ACL. The acl token appears as follows:

Figure A-2 acl Token Format

arbitrary Token

The arbitrary token encapsulates data for the audit trail.
It consists of four fixed fields and an array of data. The fixed fields are: a token
ID that identifies this token as an arbitrary token, a suggested
format field (for example, hexadecimal), a size field that specifies the size of data
encapsulated (for example, short), and a count field that gives the number of following
items. The remainder of the token is composed of one or more items of the specified
type. The arbitrary token appears as follows:

arg Token

The arg token contains system call argument information:
the argument number of the system call, the augment value, and an optional descriptive
text string. This token allows a 32-bit integer system-call argument in an audit record.
The arg token has 5 fields: a token ID that identifies this token
as an arg token, an argument ID that tells which system call argument
the token refers to, the argument value, the length of a descriptive text string,
and the text string. Figure A-4 shows the token form.

Figure A-4 arg Token Format

attr Token

The attr token contains information from the file vnode. This token has 7 fields: a token ID that identifies this as an attr token, the file access mode and type, the owner user ID, the owner
group ID, the file system ID, the inode ID, and device ID the file might represent.
See the statvfs(2)
man page for further information about the file system ID and the device ID.

This token usually accompanies a path token and is produced
during path searches. In the event of a path-search error, this token is not included
as part of the audit record since there is no vnode available to
obtain the necessary file information. Figure A-5 shows the attr token format.

Figure A-5 attr Token Format

exec_args Token

The exec_args token records the arguments to an exec system
call. The exec_args record has two fixed fields: a token ID field
that identifies this as an exec_args token, and a count that represents
the number of arguments passed to the exec call. The remainder
of the token is composed of zero or more null-terminated strings. Figure A-6 shows an exec_args token.

Figure A-6 exec_args Token Format

Note -

The exec_args token is output only when the audit policy argv is active. See "Setting Audit Policies" for more information.

exec_env Token

The exec_env token records the current environment variables
to an exec system call. The exec_env record
has two fixed fields: a token ID field that identifies this as an exec_env token, and a count that represents the number of arguments passed to the exec call. The remainder of the token is composed of zero or more null-terminated
strings. Figure A-7 shows an exec_env token.

Figure A-7 exec_env Token Format

Note -

The exec_env token is output only when the audit policy arge is active. See "Setting Audit Policies" for more information.

exit Token

The exit token records the exit status of a program. The exit token contains the exit status of the program and a return value. The
status field is the same as that passed to the exit system call.
The return value field indicates a system error number or a return value to further
describe the exit status. Figure A-8 shows an exit token.

Figure A-8 exit Token Format

file Token

The file token is a special token generated by the audit
daemon to mark the beginning of a new audit trail file and the end of an old file
as it is deactivated. The audit daemon builds a special audit record containing this
token to "link" together successive audit files into one audit trail.
The file token has four fields: a token ID that identifies this
token as a file token, a time and date stamp that identifies the
time the file was created or closed, a byte count of the file name including a null
terminator, and a field holding the file null-terminated name. Figure A-9 shows a file token.

Figure A-9 file Token Format

groups Token (Obsolete)

This token has been replaced by the newgroups token, which
provides the same type of information but requires less space. A description of the groups token is provided here for completeness, but the application designer
should use the newgroups token. Notice that praudit
does not distinguish between the two tokens, as both token IDs are labelled groups when ASCII style output is displayed.

The groups token records the groups entries from the process's
credential. The groups token has two fixed fields: a token ID field
that identifies this as a groups token, and a count that represents
the number of groups contained in this audit record. The remainder of the token consists
of zero or more group entries. Figure A-10 shows a groups token.

Figure A-10 groups Token Format

header Token

The header token is special in that it marks the beginning
of an audit record and combines with the trailer token to bracket
all the other tokens in the record. The header token has six fields:
a token ID field that identifies this as a header token, a byte
count of the total length of the audit record, including both header and trailer,
a version number that identifies the version of the audit record structure, the audit
event ID that identifies the type of audit event the record represents, an event ID
modifier that contains ancillary descriptive information concerning the type of the
event, and the time and date the record was created. Figure A-11 shows a header token.

Figure A-11 header Token Format

in_addr Token

The in_addr token contains an Internet address. This 4-byte
value is an Internet Protocol address. The token has two fields: a token ID that identifies
this token as an in_addr token and an Internet address. Figure A-12 shows an in_addr token.

Figure A-12 in_addr Token Format

ip Token

The ip token contains a copy of an Internet Protocol header
but does not include any IP options. The IP options can be added by including more
of the IP header in the token. The token has two fields: a token ID that identifies
this as an ip token and a copy of the IP header (all 20 bytes).
The IP header structure is defined in /usr/include/netinet/ip.h. Figure A-13 shows an ip token.

Figure A-13 ip Token Format

ipc Token

The ipc token contains the System V IPC message/semaphore/shared-memory
handle used by the caller to identify a particular IPC object. This token has three
fields: a token ID that identifies this as an ipc token, a type
field that specifies the type of the IPC object, and the handle that identifies the
IPC object. Figure A-14 shows an ipc token.

Figure A-14 ipc Token Format

Note -

The IPC object identifiers violate the context-free nature of the Solaris CMW
audit tokens. No global "name" uniquely identifies IPC objects; instead,
they are identified by their handles, which are valid only during the time the IPC
objects are active. The identification should not be a problem since the System V
IPC mechanisms are seldom used and they all share the same audit class.

The IPC object type field can have the values shown in Table A-4. The values are defined in /usr/include/bsm/audit.h.

Table A-4 IPC Object Type Field

Name

Value

Description

AU_IPC_MSG

1

IPC message
object

AU_IPC_SEM

2

IPC semaphore
object

AU_IPC_SHM

3

IPC shared
memory object

ipc_perm Token

The ipc_perm token contains a copy of the System V IPC access
information. This token is added to audit records generated by shared memory, semaphore,
and message IPC events. The token has eight fields: a token ID that identifies this
token as an ipc_perm token, the user ID of the IPC owner, the group
ID of the IPC owner, the user ID of the IPC creator, the group ID of the IPC creator,
the access modes of the IPC, the sequence number of the IPC, and the IPC key value.
The values are taken from the ipc_perm structure associated with
the IPC object. Figure A-15 shows
an ipc_perm token format.

Figure A-15 ipc_perm Token Format

iport Token

The iport token contains the TCP (or UDP) port address. The
token has two fields: a token ID that identifies this as an iport
token and the TCP/UDP port address. Figure A-16 shows an iport token.

Figure A-16 iport Token Format

newgroups Token

This token is the replacement for the groups token. Notice
that praudit does not distinguish between the two tokens, as both
token IDs are labelled groups when ASCII output is displayed.

The newgroups token records the groups entries from the process's
credential. The newgroups token has two fixed fields: a token ID
field that identifies this as a newgroups token, and a count that
represents the number of groups contained in this audit record. The remainder of the
token is composed of zero or more group entries. Figure A-17 shows
a newgroups token.

Figure A-17 newgroups Token Format

Note -

The newgroups token is output only when the audit policy group is active. See "The auditconfig Command" for more information.

opaque Token

The opaque token contains unformatted data as a sequence
of bytes. The token has three fields: a token ID that identifies this as an opaque token, a byte count of the amount of data, and an array of byte data. Figure A-18 shows an opaque token.

Figure A-18 opaque Token Format

path Token

The path token contains access path information for an object.
The token contains a token ID and the absolute path to the object based on the real
root of the system. The path has the following structure: a byte count of the path
length and the path. Figure A-19 shows a path token.

Figure A-19 path Token Format

process Token

The process token contains information describing a process
as an object such as the recipient of a signal. The token has 9 fields: a token ID
that identifies this token as a process token, the invariant audit
ID, the effective user ID, the effective group ID, the real user ID, the real group
ID, the process ID, the audit session ID, and a terminal ID. Figure A-20 shows a process token.

Figure A-20 process Token Format

The audit ID, user ID, group ID, process ID, and session ID are long instead
of short.

Note -

The process token fields for the session ID, the real user
ID, or the real group ID might be unavailable. The entry is then set to -1.

return Token

The return token contains the return status of the system
call (u_error) and the process return value (u_rval1).
The token has three fields: a token ID that identifies this token as a return token, the error status of the system call, and the system call return
value. This token is always returned as part of kernel-generated audit records for
system calls. The token indicates exit status and other return values in application
auditing. Figure A-21 shows a return token.

Figure A-21 return Token Format

seq Token

The seq token (sequence token) is an optional token that
contains an increasing sequence number. This token is for debugging. The token is
added to each audit record when the AUDIT_SEQ policy is active.
The seq token has 2 fields: a token ID that identifies this token
as a seq token, and a 32-bit unsigned long field that contains
the sequence number. The sequence number is incremented every time an audit record
is generated and put onto the audit trail. Figure A-22 shows
a seq token.

Figure A-22 seq Token Format

socket Token

The socket token contains information describing an Internet
socket. The socket token has 6 fields: a token ID that identifies
this token as a socket token, a socket type field that indicates
the type of socket referenced (TCP/UDP/UNIX), the local port address, the local Internet
address, the remote port address, and the remote Internet address. Figure A-23
shows a socket token.

Figure A-23 socket Token Format

socket-inet Token

The socket-inet token describes a socket connection to a
local port, which is used to represent the socket information in the Internet namespace.
The socket-inet token has 4 fields: a token ID that identifies
this token as a socket-inet token, a socket family field that indicates
the Internet family (AF_INET, AF_OSI, and so
on), the address of the local port, and the address of the socket. Figure A-24 shows a socket-inet token.

Figure A-24 socket-inet Token Format

subject Token

The subject token describes a subject (process). The structure
is the same as the process token. The token has 9 fields: an ID
that identifies this as a subject token, the invariant audit ID,
the effective user ID, the effective group ID, the real user ID, the real group ID,
the process ID, the audit session ID, and a terminal ID. This token is always returned
as part of kernel-generated audit records for system calls. Figure A-25 shows the token.

Figure A-25 subject Token Format

The audit ID, user ID, group ID, process ID, and session ID are long instead
of short.

Note -

The subject token fields for the session ID, the real user
ID, or the real group ID might be unavailable. The entry is then set to -1.

text Token

The text token contains a text string. The token has three
fields: a token ID that identifies this token as a text token,
the length of the text string, and the text string itself. Figure A-26shows
a text token.

Figure A-26 text Token Format

trailer Token

The two tokens, header and trailer, are
special in that they distinguish the endpoints of an audit record and bracket all
the other tokens. A header token begins an audit record. A trailer token ends an audit record. It is an optional token that is added
as the last token of each record only when the AUDIT_TRAIL audit
policy has been set.

The trailer token is special in that it marks the termination
of an audit record. Together with the header token, the trailer token delimits an audit record. The trailer token
supports backward seeks of the audit trail. The trailer token has
three fields: a token ID that identifies this token as a trailer
token, a pad number to aid in marking the end of the record, and the total number
of characters in the audit record, including both the header and trailer tokens. Figure A-27 shows a trailer token.

Figure A-27 trailer Token Format

The audit trail analysis software ensures that each record contains both header and trailer. In the case of a write error, as
when a file system becomes full, an audit record can be incomplete and truncated. auditsvc, the system call responsible for writing data to the audit trail,
attempts to put out complete audit records. See the auditsvc(2) man page. When file system space runs
out, the call terminates without releasing the current audit record. When the call
resumes, it can then repeat the truncated record.

General Audit Record Structure

The audit records produced by Basic Security Module have a sequence of tokens. Certain tokens
are optional within an audit record, according to the current audit policy. The group, sequence, and trailer tokens
fall into this category. The administrator can determine if these are included in
an audit record with the auditconfig command -getpolicy option.

Kernel-Level Generated Audit Records

These audit records are created by system calls that are used by the kernel.
The records are sorted alphabetically by system call. The description of each record
includes:

The name of the system call

A man page reference (if appropriate)

The audit event number

The audit event name

The audit event class

The mask for the event class

The audit record structure

Table A-5 accept(2)

Event Name

Event ID

Event Class

Mask

AUE_ACCEPT

33

nt

0x00000100

Format (if the socket
address is not part of the AF_INET family):

header-token

arg-token (1, "fd", file descriptor)

text-token ("bad socket address")

text-token ("bad peer address")

subject-token

return-token

Format (if the socket address is part of the AF_INET family):

header-token

If there is
no vnode for this file descriptor:

[arg-token] (1, "Bad fd", file descriptor)

or if the socket is not bound:

[arg-token (1, "fd", file descriptor)

text-token] ("socket not bound")

or if the socket address length = 0:

[arg-token (1, "fd", file descriptor)

text-token] ("bad socket address")

For all other conditions:

[socket-inet-token] ("socket address")

socket-inet-token ("socket address")

subject-token

return-token

Table A-6 access(2)

Event Name

Event ID

Event Class

Mask

AUE_ACCESS

14

fa

0x00000004

Format:

header-token

path-token

[attr-token]

subject-token

return-token

Table A-7 acl(2) - SETACL command

Event Name

Event ID

Event Class

Mask

AUE_ACLSET

251

fm

0x00000008

Format:

header-token

arg-token (2, "cmd", SETACL)

arg-token (3, "nentries", number of ACL entries)

(0..n)[acl-token] (ACLs)

subject-token

return-token

Table A-8 acct(2)

Event Name

Event ID

Event Class

Mask

AUE_ACCT

18

ad

0x00000800

Format
(zero path):

header-token

argument-token (1, "accounting off", 0)

subject-token

return-token

Format (non-zero path):

header-token

path-token

[attr-token]

subject-token

return-token

Table A-9 adjtime(2)

Event Name

Event ID

Event Class

Mask

AUE_ADJTIME

50

ad

0x00000800

Format:

header-token

subject-token

return-token

Table A-10 audit(2)

Event Name

Event ID

Event Class

Mask

AUE_AUDIT

211

no

0x00000000

Format:

header-token

subject-token

return-token

Table A-11 auditon(2) - get car

Event Name

Event ID

Event Class

Mask

AUE_AUDITON_GETCAR

224

ad

0x00000800

Format:

header-token

subject-token

return-token

Table A-12 auditon(2) - get event
class

Event Name

Event ID

Event Class

Mask

AUE_AUDITON_GETCLASS

231

ad

0x00000800

Format:

header-token

subject-token

return-token

Table A-13 auditon(2) - get audit
state

Event Name

Event ID

Event Class

Mask

AUE_AUDITON_GETCOND

229

ad

0x00000800

Format:

header-token

subject-token

return-token

Table A-14 auditon(2) - get cwd

Event Name

Event ID

Event Class

Mask

AUE_AUDITON_GETCWD

223

ad

0x00000800

Format:

header-token

subject-token

return-token

Table A-15 auditon(2) - get kernal
mask

Event Name

Event ID

Event Class

Mask

AUE_AUDITON_GETKMASK

221

ad

0x00000800

Format:

header-token

subject-token

return-token

Table A-16 auditon(2) - get audit
statistics

Event Name

Event ID

Event Class

Mask

AUE_AUDITON_GETSTAT

225

ad

0x00000800

Format:

header-token

subject-token

return-token

Table A-17 auditon(2) - GPOLICY command

Event Name

Event ID

Event Class

Mask

AUE_AUDITON_GPOLICY

114

ad

0x00000800

Format:

header-token

subject-token

return-token

Table A-18 auditon(2) - GQCTRL command

Event Name

Event ID

Event Class

Mask

AUE_AUDITON_GQCTRL

145

ad

0x00000800

Format:

header-token

subject-token

return-token

Table A-19 auditon(2) - set event
class

Event Name

Event ID

Event Class

Mask

AUE_AUDITON_SETCLASS

232

ad

0x00000800

Format:

header-token

[argument-token] (2, "setclass:ec_event", event number)

[argument-token] (3, "setclass:ec_class", class mask)

subject-token

return-token

Table A-20 auditon(2) - set audit
state

Event Name

Event ID

Event Class

Mask

AUE_AUDITON_SETCOND

230

ad

0x00000800

Format:

header-token

[argument-token] (3, "setcond", audit state)

subject-token

return-token

Table A-21 auditon(2) - set kernal
mask

Event Name

Event ID

Event Class

Mask

AUE_AUDITON_SETKMASK

222

ad

0x00000800

Format:

header-token

[argument-token] (2, "setkmask:as_success", kernel mask)

[argument-token] (2, "setkmask:as_failure", kernel mask)

return-token

Table A-22 auditon(2) - set mask per
session ID

Event Name

Event ID

Event Class

Mask

AUE_AUDITON_SETSMASK

228

ad

0x00000800

Format:

header-token

[argument-token] (3, "setsmask:as_success", session ID mask)

[argument-token] (3, "setsmask:as_failure", session ID mask)

subject-token

return-token

Table A-23 auditon(2) - reset audit
statistics

Event Name

Event ID

Event Class

Mask

AUE_AUDITON_SETSTAT

226

ad

0x00000800

Format:

header-token

subject-token

return-token

Table A-24 auditon(2) - set mask per
uid

Event Name

Event ID

Event Class

Mask

AUE_AUDITON_SETUMASK

227

ad

0x00000800

Format:

header-token

[argument-token] (3, "setumask:as_success", audit ID mask)

[argument-token] (3, "setumask:as_failure", audit ID mask)

subject-token

return-token

Table A-25 auditon(2) - SPOLICY command

Event Name

Event ID

Event Class

Mask

AUE_AUDITON_SPOLICY

147

ad

0x00000800

Format:

header-token

[argument-token] (1, "policy", audit policy flags)

subject-token

return-token

Table A-26 auditon(2) - SQCTRL command

Event Name

Event ID

Event Class

Mask

AUE_AUDITON_SQCTRL

146

ad

0x00000800

Format:

header-token

[argument-token] (3,"setqctrl:aq_hiwater", queue control param.)

[argument-token] (3,"setqctrl:aq_lowater", queue control param.)

[argument-token] (3,"setqctrl:aq_bufsz", queue control param.)

[argument-token] (3,"setqctrl:aq_delay", queue control param.)

subject-token

return-token

Table A-27 auditsvc(2)

Event Name

Event ID

Event Class

Mask

AUE_AUDITSVC

136

ad

0x00000800

Format
(valid file descriptor):

header-token

[path-token]

[attr-token]

subject-token

return-token

Format (not valid file descriptor):

header-token

argument-token (1, "no path: fd", fd)

subject-token

return-token

Table A-28 bind(2)

Event Name

Event ID

Event Class

Mask

AUE_BIND

34

nt

0x00000100

Format:

header-token

If there is no vnode for this file descriptor:

[arg-token] (1, "Bad fd", file descriptor)

or if the socket is not of the AF_INET family:

[arg-token (1, "fd", file descriptor)

text-token] ("bad socket address")

for all other conditions:

[arg-token (1, "fd", file descriptor)

socket-inet-token] ("socket address")

subject-token

return-token

Table A-29 chdir(2)

Event Name

Event ID

Event Class

Mask

AUE_CHDIR

8

pc

0x00000080

Format:

header-token

path-token

[attr-token]

subject-token

return-token

Table A-30 chmod(2)

Event Name

Event ID

Event Class

Mask

AUE_CHMOD

10

fm

0x00000008

Format:

header-token

argument-token (2, "new file mode", mode)

path-token

[attr-token]

subject-token

return-token

Table A-31 chown(2)

Event Name

Event ID

Event Class

Mask

AUE_CHOWN

11

fm

0x00000008

Format:

header-token

argument-token (2, "new file uid", uid)

argument-token (3, "new file gid", gid)

path-token

[attr-token]

subject-token

return-token

Table A-32 chroot(2)

Event Name

Event ID

Event Class

Mask

AUE_CHROOT

24

pc

0x00000080

Format:

header-token

path-token

[attr-token]

subject-token

return-token

Table A-33 close(2)

Event Name

Event ID

Event Class

Mask

AUE_CLOSE

112

cl

0x00000040

Format:

<file system object>

header-token

argument-token (1, "fd", file descriptor)

[path-token]

[attr-token]

subject-token

return-token

Table A-34 connect(2)

Event Name

Event ID

Event Class

Mask

AUE_CONNECT

32

nt

0x00000100

Format (if the socket
address is not part of the AF_INET family):

header-token

arg-token (1, "fd", file descriptor)

text-token ("bad socket address")

text-token ("bad peer address")

subject-token

return-token

Format (if the socket address is part of the AF_INET family):

header-token

If there is
no vnode for this file descriptor:

[arg-token] (1, "Bad fd", file descriptor)

or if the socket is not bound:

[arg-token (1, "fd", file descriptor)

text-token] ("socket not bound")

or if the socket address length = 0:

[arg-token (1, "fd", file descriptor)

text-token] ("bad socket address")

for all other conditions:

[socket-inet-token] ("socket address")

socket-inet-token ("socket address")

subject-token

return-token

Table A-35 creat(2)

Event Name

Event ID

Event Class

Mask

AUE_CREAT

4

fc

0x00000010

Format

header-token

path-token

[attr-token]

subject-token

return-token

Table A-36 doorfs(2) - DOOR_BIND

Event Name

Event ID

Event Class

Mask

AUE_DOORFS_DOOR_BIND

260

ip

0x00000200

Format:

header-token

arg-token (1, "door ID", door ID)

subject-token

return-token

Table A-37 doorfs(2) - DOOR_CALL

Event Name

Event ID

Event Class

Mask

AUE_DOORFS_DOOR_CALL

254

ip

0x00000200

Format:

header-token

arg-token (1, "door ID", door ID)

process-token (for process that owns the door)

subject-token

return-token

Table A-38 doorfs(2) - DOOR_CREATE

Event Name

Event ID

Event Class

Mask

AUE_DOORFS_DOOR_CREATE

256

ip

0x00000200

Format:

header-token

arg-token (1, "door attr", door attributes)

subject-token

return-token

Table A-39 doorfs(2) - DOOR_CRED

Event Name

Event ID

Event Class

Mask

AUE_DOORFS_DOOR_CRED

259

ip

0x00000200

Format:

header-token

subject-token

return-token

Table A-40 doorfs(2) - DOOR_INFO

Event Name

Event ID

Event Class

Mask

AUE_DOORFS_DOOR_INFO

258

ip

0x00000200

Format:

header-token

subject-token

return-token

Table A-41 doorfs(2) - DOOR_RETURN

Event Name

Event ID

Event Class

Mask

AUE_DOORFS_DOOR_RETURN

255

ip

0x00000200

Format:

header-token

subject-token

return-token

Table A-42 doorfs(2) - DOOR_REVOKE

Event Name

Event ID

Event Class

Mask

AUE_DOORFS_DOOR_REVOKE

257

ip

0x00000200

Format:

header-token

arg-token (1, "door ID", door ID)

subject-token

return-token

Table A-43 doorfs(2) - DOOR_UNBIND

Event Name

Event ID

Event Class

Mask

AUE_DOORFS_DOOR_UNBIND

261

ip

0x00000200

Format:

header-token

arg-token (1, "door ID", door ID)

subject-token

return-token

Table A-44 enter prom

Event Name

Event ID

Event Class

Mask

AUE_ENTERPROM

153

na

0x00000400

Format:

header-token

text-token (addr, "monitor PROM"|"kadb")

subject-token

return-token

Table A-45 exec(2)

Event Name

Event ID

Event Class

Mask

AUE_EXEC

7

pc,ex

0x40000080

Format:

header-token

path-token

[attr-token]

subject-token

return-token

Table A-46 execve(2)

Event Name

Event ID

Event Class

Mask

AUE_EXECVE

23

pc,ex

0x40000080

Format:

header-token

path-token

[attr-token]

subject-token

return-token

Table A-47 exit prom

Event Name

Event ID

Event Class

Mask

AUE_EXITPROM

154

na

0x00000400

Format:

header-token

text-token (addr, "monitor PROM"|"kadb")

subject-token

return-token

Table A-48 exit(2)

Event Name

Event ID

Event Class

Mask

AUE_EXIT

1

pc

0x00000080

Format:

header-token

subject-token

return-token

Table A-49 facl(2) - SETACL command

Event Name

Event ID

Event Class

Mask

AUE_FACLSET

252

fm

0x00000008

Format (zero path):

header-token

arg-token (2, "cmd", SETACL)

arg-token (3, "nentries", number of ACL entries)

arg-token (1, "no path: fd", file descriptor)

(0..n)[acl-token] (ACLs)

subject-token

return-token

Format (non-zero path):

header-token

arg-token (2, "cmd", SETACL)

arg-token (3, "nentries", number of ACL entries)

path-token

[attr-token]

(0..n)[acl-token] (ACLs)

subject-token

return-token

Table A-50 fchdir(2)

Event Name

Event ID

Event Class

Mask

AUE_FCHDIR

68

pc

0x00000080

Format:

header-token

[path-token]

[attr-token]

subject-token

return-token

Table A-51 fchmod(2)

Event Name

Event ID

Event Class

Mask

AUE_FCHMOD

39

fm

0x00000008

Format
(valid file descriptor):

header-token

argument-token (2, "new file mode", mode)

[path-token]

[attr-token]

subject-token

return-token

Format (not valid file descriptor):

header-token

argument-token (2, "new file mode", mode)

argument-token (1, "no path: fd", fd)

subject-token

return-token

Table A-52 fchown(2)

Event Name

Event ID

Event Class

Mask

AUE_FCHOWN

38

fm

0x00000008

Format
(valid file descriptor):

header-token (2, "new file uid", uid)

argument-token (3, "new file gid", gid)

[path-token]

[attr-token]

subject-token

return-token

Format (non-file descriptor):

header-token

argument-token (2, "new file uid", uid)

argument-token (3, "new file gid", gid)

argument-token (1, "no path: fd", fd)

subject-token

return-token

Table A-53 fchroot(2)

Event Name

Event ID

Event Class

Mask

AUE_FCHROOT

69

pc

0x00000080

Format:

header-token

[path-token]

[attr-token]

subject-token

return-token

Table A-54 fcntl(2)

Event Name

Event ID

Event Class

Mask

AUE_FCNTL (cmd=F_GETLK, F_SETLK, F_SETLKW)

30

fm

0x00000008

Format
(file descriptor):

header-token

argument-token (2, "cmd", cmd)

path-token

attr-token

subject-token

return-token

Format (bad file descriptor):

header-token

argument-token (2, "cmd", cmd)

argument-token (1, "no path: fd", fd)

subject-token

return-token

Table A-55 fork(2)

Event Name

Event ID

Event Class

Mask

AUE_FORK

2

pc

0x00000080

Format:

header-token

[argument-token] (0, "child PID", pid)

subject-token

return-token

The fork() return values are undefined because the audit record
is produced at the point that the child process is spawned.

Table A-56 fork1(2)

Event Name

Event ID

Event Class

Mask

AUE_FORK1

241

pc

0x00000080

Format:

header-token

[argument-token] (0, "child PID", pid)

subject-token

return-token

The fork1() return values are undefined because the audit record
is produced at the point that the child process is spawned.

Table A-57 fstatfs(2)

Event Name

Event ID

Event Class

Mask

AUE_FSTATFS

55

fa

0x00000004

Format
(file descriptor):

header-token

[path-token]

[attr-token]

subject-token

return-token

Format (non-file descriptor):

header-token

argument-token (1, "no path: fd", fd)

subject-token

return-token

Table A-58 getaudit(2)

Event Name

Event ID

Event Class

Mask

AUE_GETAUDIT

132

ad

0x00000800

Format:

header-token

subject-token

return-token

Table A-59 getauid(2)

Event Name

Event ID

Event Class

Mask

AUE_GETAUID

130

ad

0x00000800

Format:

header-token

subject-token

return-token

Table A-60 getmsg(2)

Event Name

Event ID

Event Class

Mask

AUE_GETMSG

217

nt

0x00000100

Format:

header-token

argument-token (1, "fd", file descriptor)

argument-token (4, "pri", priority)

subject-token

return-token

Table A-61 getmsg - accept

Event Name

Event ID

Event Class

Mask

AUE_SOCKACCEPT

247

nt

0x00000100

Format:

header-token

socket-inet-token

argument-token (1, "fd", file descriptor)

argument-token (4, "pri", priority)

subject-token

return-token

Table A-62 getmsg - receive

Event Name

Event ID

Event Class

Mask

AUE_SOCKRECEIVE

250

nt

0x00000100

Format:

header-token

socket-inet-token

argument-token (1, "fd", file descriptor)

argument-token (4, "pri", priority)

subject-token

return-token

Table A-63 getpmsg(2)

Event Name

Event ID

Event Class

Mask

AUE_GETPMSG

219

nt

0x00000100

Format:

header-token

argument-token (1, "fd", file descriptor)

subject-token

return-token

Table A-64 getportaudit(2)

Event Name

Event ID

Event Class

Mask

AUE_GETPORTAUDIT

149

ad

0x00000800

Format:

header-token

subject-token

return-token

Table A-65 inst_sync(2)

Event Name

Event ID

Event Class

Mask

AUE_INST_SYNC

264

ad

0x00000800

Format:

header-token

arg-token (2, "flags", flags value)

subject-token

return-token

Table A-66 ioctl(2)

Event Name

Event ID

Event Class

Mask

AUE_IOCTL

158

io

0x20000000

Format
(good file descriptor):

header-token

path-token

[attr-token]

argument-token (2, "cmd" ioctl cmd)

argument-token (3, "arg" ioctl arg)

subject-token

return-token

Format (socket):

header-token

[socket-token]

argument-token (2, "cmd" ioctl cmd)

argument-token (3, "arg" ioctl arg)

subject-token

return-token

Format (non-file file descriptor):

header-token

argument-token (1, "fd", file descriptor)

argument-token (2, "cmd", ioctl cmd)

argument-token (3, "arg", ioctl arg)

subject-token

return-token

Format (bad file name):

header-token

argument-token (1, "no path: fd", fd)

argument-token (2, "cmd", ioctl cmd)

argument-token (3, "arg", ioctl arg)

subject-token

return-token

Table A-67 kill(2)

Event Name

Event ID

Event Class

Mask

AUE_KILL

15

pc

0x00000080

Format
(valid process):

header-token

argument-token (2, "signal", signo)

[process-token]

subject-token

return-token

Format (zero or negative process):

header-token

argument-token (2, "signal", signo)

argument-token (1, "process", pid))

subject-token

return-token

Table A-68 lchown(2)

Event Name

Event ID

Event Class

Mask

AUE_LCHOWN

237

fm

0x00000008

Format:

header-token

argument-token (2, "new file uid", uid)

argument-token (3, "new file gid", gid)

path-token

[attr-token]

subject-token

return-token

Table A-69 link(2)

Event Name

Event ID

Event Class

Mask

AUE_LINK

5

fc

0x00000010

Format:

header-token

path-token (from path)

[attr-token] (from path)

path-token (to path)

subject-token

return-token

Table A-70 lstat(2)

Event Name

Event ID

Event Class

Mask

AUE_LSTAT

17

fa

0x00000004

Format:

header-token

path-token

[attr-token]

subject-token

return-token

Table A-71 lxstat(2)

Event Name

Event ID

Event Class

Mask

AUE_LXSTAT

236

fa

0x00000004

Format:

header-token

path-token

[attr-token]

subject-token

return-token

Table A-72 memcntl(2)

Event Name

Event ID

Event Class

Mask

AUE_MEMCNTL

238

ot

0x80000000

Format:

header-token

argument-token (1, "base", base address)

argument-token (2, "len", length)

argument-token (3, "cmd", command)

argument-token (4, "arg", command args)

argument-token (5, "attr", command attributes)

argument-token (6, "mask", 0)

subject-token

return-token

Table A-73 mkdir(2)

Event Name

Event ID

Event Class

Mask

AUE_MKDIR

47

fc

0x00000010

Format:

header-token

argument-token (2, "mode", mode)

path-token

[attr-token]

subject-token

return-token

Table A-74 mknod(2)

Event Name

Event ID

Event Class

Mask

AUE_MKNOD

9

fc

0x00000010

Format:

header-token

argument-token (2, "mode", mode)

argument-token (3, "dev", dev)

path-token

[attr-token]

subject-token

return-token

Table A-75 mmap(2)

Event Name

Event ID

Event Class

Mask

AUE_MMAP

210

no

0x00000000

Format
(valid file descriptor):

header-token

argument-token (1, "addr", segment address)

argument-token (2, "len", segment length)

[path-token]

[attr-token]

subject-token

return-token

Format (not valid file descriptor):

header-token

argument-token (1, "addr", segment address)

argument-token (2, "len", segment length)

argument-token (1, "no path: fd", fd)

subject-token

return-token

Table A-76 modctl(2) - bind module

Event Name

Event ID

Event Class

Mask

AUE_MODADDMAJ

246

ad

0x00000800

Format:

header-token

[text-token] driver major number)

[text-token] (driver name)

text-token (root dir.|"no rootdir")

text-token (driver major number|"no drvname")

argument-token (5, "", number of aliases)

(0..n)[text-token] (aliases)

subject-token

return-token

Table A-77 modctl(2) - configure module

Event Name

Event ID

Event Class

Mask

AUE_MODCONFIG

245

ad

0x00000800

Format:

header-token

text-token (root dir.|"no rootdir")

text-token (driver major number|"no drvname")

subject-token

return-token

Table A-78 modctl(2) - load module

Event Name

Event ID

Event Class

Mask

AUE_MODLOAD

243

ad

0x00000800

Format:

header-token

[text-token] (default path)

text-token (filename path)

subject-token

return-token

Table A-79 modctl(2) - unload module

Event Name

Event ID

Event Class

Mask

AUE_MODUNLOAD

244

ad

0x00000800

Format:

header-token

argument-token (1, "id", module ID)

subject-token

return-token

Table A-80 mount(2)

Event Name

Event ID

Event Class

Mask

AUE_MOUNT

62

ad

0x00000800

Format
(UNIX file system):

header-token

argument-token (3, "flags", flags)

text-token (filesystem type)

path-token

[attr-token]

subject-token

return-token

Format (NFS file system):

header-token

argument-token (3, "flags", flags)

text-token (filesystem type)

text-token (host name)

argument-token (3, "internal flags", flags)

Table A-81 msgctl(2) - IPC_RMID command

Event Name

Event ID

Event Class

Mask

AUE_MSGCTL_RMID

85

ip

0x00000200

Format:

header-token

argument-token (1, "msg ID", message ID)

[ipc-token]

subject-token

return-token

The ipc and ipc_perm tokens are not included if the msg ID is
not valid.

Table A-82 msgctl(2) - IPC_SET command

Event Name

Event ID

Event Class

Mask

AUE_MSGCTL_SET

86

ip

0x00000200

Format:

header-token

argument-token (1, "msg ID", message ID)

[ipc-token]

subject-token

return-token

The ipc and ipc_perm tokens are not included if the msg ID is
not valid.

Table A-83 msgctl(2) - IPC_STAT command

Event Name

Event ID

Event Class

Mask

AUE_MSGCTL_STAT

87

ip

0x00000200

Format:

header-token

argument-token (1, "msg ID", message ID)

[ipc-token]

subject-token

return-token

The ipc and ipc_perm tokens are not included if the msg ID is
not valid.

Table A-84 msgget(2)

Event Name

Event ID

Event Class

Mask

AUE_MSGGET

88

ip

0x00000200

Format:

header-token

[ipc-token]

subject-token

return-token

The ipc and ipc_perm tokens are not included if the msg ID is
not valid.

Table A-85 msgrcv(2)

Event Name

Event ID

Event Class

Mask

AUE_MSGRCV

89

ip

0x00000200

Format:

header-token

argument-token (1, "msg ID", message ID)

[ipc-token]

subject-token

return-token

The ipc and ipc_perm tokens are not included if the msg ID is
not valid.

Table A-86 msgsnd(2)

Event Name

Event ID

Event Class

Mask

AUE_MSGSND

90

ip

0x00000200

Format:

header-token

argument-token (1, "msg ID", message ID)

[ipc-token]

subject-token

return-token

The ipc and ipc_perm tokens are not included if the msg ID is
not valid.

Table A-87 munmap(2)

Event Name

Event ID

Event Class

Mask

AUE_MUNMAP

214

cl

0x00000040

Format:

header-token

argument-token (1, "addr", address of memory)

argument-token (2, "len", memory segment size)

subject-token

return-token

Table A-88 old nice(2)

Event Name

Event ID

Event Class

Mask

AUE_NICE

203

pc

0x00000080

Format:

header-token

subject-token

return-token

Table A-89 open(2) - read

Event Name

Event ID

Event Class

Mask

AUE_OPEN_R

72

fr

0x00000001

Format:

header-token

path-token

[attr-token]

subject-token

return-token

Table A-90 open(2) - read,creat

Event Name

Event ID

Event Class

Mask

AUE_OPEN_RC

73

fc,fr

0x00000011

Format:

header-token

path-token

[attr-token]

subject-token

return-token

Table A-91 open(2) - read,creat,trunc

Event Name

Event ID

Event Class

Mask

AUE_OPEN_RTC

75

fc,fd,fr

0x00000031

Format:

header-token

path-token

[attr-token]

subject-token

return-token

Table A-92 open(2) - read,trunc

Event Name

Event ID

Event Class

Mask

AUE_OPEN_RT

74

fd,fr

0x00000021

Format:

header-token

path-token

[attr-token]

subject-token

return-token

Table A-93 open(2) - read,write

Event Name

Event ID

Event Class

Mask

AUE_OPEN_RW

80

fr,fw

0x00000003

Format:

header-token

path-token

[attr-token]

subject-token

return-token

Table A-94 open(2) - read,write,creat

Event Name

Event ID

Event Class

Mask

AUE_OPEN_RWC

81

fr,fw,fc

0x00000013

Format:

header-token

path-token

[attr-token]

subject-token

return-token

Table A-95 open(2) - read,write,create,trunc

Event Name

Event ID

Event Class

Mask

AUE_OPEN_RWTC

83

fr,fw,fc,fd

0x00000033

Format:

header-token

path-token

[attr-token]

subject-token

return-token

Table A-96 open(2) - read,write,trunc

Event Name

Event ID

Event Class

Mask

AUE_OPEN_RWT

82

fr,fw,fd

0x00000023

Format:

header-token

path-token

[attr-token]

subject-token

return-token

Table A-97 open(2) - write

Event Name

Event ID

Event Class

Mask

AUE_OPEN_W

76

fw

0x00000002

Format:

header-token

path-token

[attr-token]

subject-token

return-token

Table A-98 open(2) - write,creat

Event Name

Event ID

Event Class

Mask

AUE_OPEN_WC

77

fw,fc

0x00000012

Format:

header-token

path-token

[attr-token]

subject-token

return-token

Table A-99 open(2) - write,creat,trunc

Event Name

Event ID

Event Class

Mask

AUE_OPEN_WTC

79

fw,fc,fd

0x00000032

Format:

header-token

path-token

[attr-token]

subject-token

return-token

Table A-100 open(2) - write,trunc

Event Name

Event ID

Event Class

Mask

AUE_OPEN_WT

78

fw,fd

0x00000022

Format:

header-token

path-token

[attr-token]

subject-token

return-token

Table A-101 p_online(2)

Event Name

Event ID

Event Class

Mask

AUE_P_ONLINE

262

ad

0x00000800

header-token

arg-token (1, "processor ID", processor ID)

arg-token (2, "flags", flags value)

text-token (text form of flags value: P_ONLINE, P_OFFLINE, P_STATUS)

subject-token

return-token

Table A-102 pathconf(2)

Event Name

Event ID

Event Class

Mask

AUE_PATHCONF

71

fa

0x00000004

Format:

header-token

path-token

[attr-token]

subject-token

return-token

Table A-103 pipe(2)

Event Name

Event ID

Event Class

Mask

AUE_PIPE

185

no

0x00000000

Format:

header-token

subject-token

return-token

Table A-104 priocntlsys(2)

Event Name

Event ID

Event Class

Mask

AUE_PRIOCNTLSYS

212

pc

0x0000080

Format:

header-token

argument-token (1, "pc_version", priocntl version num.)

argument-token (3,"cmd", command)

subject-token

return-token

Table A-105 process dumped core

Event Name

Event ID

Event Class

Mask

AUE_CORE

111

fc

0x0000010

Format:

header-token

path-token

[attr-token]

argument-token (1, "signal", signal)

subject-token

return-token

Table A-106 processor_bind(2)

Event Name

Event ID

Event Class

Mask

AUE_PROCESSOR_BIND

263

ad

0x00000800

Format
(no processor bound):

header-token

arg-token (1, "ID type", type of ID)

arg-token (2, "ID", ID value)

text-token ("PBIND_NONE")

process-token (for process whose threads are bound to the processor)

subject-token

return-token

Format (with processor bound):

header-token

arg-token (1, "ID type", type of ID)

arg-token (2, "ID", ID value)

arg-token (3, "processor ID", processor ID)

process-token (for process whose threads are bound to the processor)

subject-token

return-token

Table A-107 putmsg(2)

Event Name

Event ID

Event Class

Mask

AUE_PUTMSG

216

nt

0x00000100

Format:

header-token

argument-token (1, "fd", file descriptor)

argument-token (4, "pri", priority)

subject-token

return-token

Table A-108 putmsg-connect

Event Name

Event ID

Event Class

Mask

AUE_SOCKCONNECT

248

nt

0x00000100

Format:

header-token

socket-inet-token

argument-token (1, "fd", file descriptor)

argument-token (4, "pri", priority)

subject-token

return-token

Table A-109 putmsg-send

Event Name

Event ID

EventClass

Mask

AUE_SOCKSEND

249

nt

0x00000100

Format:

header-token

socket-inet-token

argument-token (1, "fd", file descriptor)

argument-token (4, "pri", priority)

subject-token

return-token

Table A-110 putpmsg(2)

Event Name

Event ID

Event Class

Mask

AUE_PUTPMSG

218

nt

0x00000100

Format:

header-token

argument-token (1, "fd", file descriptor)

subject-token

return-token

Table A-111 readlink(2)

Event Name

Event ID

Event Class

Mask

AUE_READLINK

22

fr

0x00000001

Format:

header-token

path-token

[attr-token]

subject-token

return-token

Table A-112 rename(2)

Event Name

Event ID

Event Class

Mask

AUE_RENAME

42

fc,fd

0x00000030

Format:

header-token

path-token (from name)

[attr-token] (from name)

[path-token] (to name)

subject-token

return-token

Table A-113 rmdir(2)

Event Name

Event ID

Event Class

Mask

AUE_RMDIR

48

fd

0x00000020

Format:

header-token

path-token

[attr-token]

subject-token

return-token

Table A-114 semctl(2) - getall

Event Name

Event ID

Event Class

Mask

AUE_SEMCTL_GETALL

105

ip

0x00000200

Format:

header-token

argument-token (1, "sem ID", semaphore ID)

[ipc-token]

subject-token

return-token

The ipc and ipc_perm tokens are not included if the semaphore ID
is not valid.

Table A-115 semctl(2) - GETNCNT command

Event Name

Event ID

Event Class

Mask

AUE_SEMCTL_GETNCNT

102

ip

0x00000200

Format:

header-token

argument-token (1, "sem ID", semaphore ID)

[ipc-token]

subject-token

return-token

The ipc and ipc_perm tokens are not included if the semaphore ID
is not valid.

Table A-116 semctl(2) - GETPID command

Event Name

Event ID

Event Class

Mask

AUE_SEMCTL_GETPID

103

ip

0x00000200

Format:

header-token

argument-token (1, "sem ID", semaphore ID)

[ipc-token]

subject-token

return-token

The ipc and ipc_perm tokens are not included if the semaphore
ID is not valid.

Table A-117 semctl(2) - GETVAL command

Event Name

Event ID

Event Class

Mask

AUE_SEMCTL_GETVAL

104

ip

0x00000200

Format:

header-token

argument-token (1, "sem ID", semaphore ID)

[ipc-token]

subject-token

return-token

The ipc and ipc_perm tokens are not included if the semaphore ID
is not valid.

Table A-118 semctl(2) - GETZCNT command

Event Name

Event ID

Event Class

Mask

AUE_SEMCTL_GETZCNT

106

ip

0x00000200

Format:

header-token

argument-token (1, "sem ID", semaphore ID)

[ipc-token]

subject-token

return-token

The ipc and ipc_perm tokens are not included if the semaphore
ID is not valid.

Table A-119 semctl(2) - IPC_RMID command

Event Name

Event ID

Event Class

Mask

AUE_SEMCTL_RMID

99

ip

0x00000200

Format:

header-token

argument-token (1, "sem ID", semaphore ID)

[ipc-token]

subject-token

return-token

The ipc and ipc_perm tokens are not included if the semaphore ID
is not valid.

Table A-120 semctl(2) - IPC_SET command

Event Name

Event ID

Event Class

Mask

AUE_SEMCTL_SET

100

ip

0x00000200

Format:

header-token

argument-token (1, "sem ID", semaphore ID)

[ipc-token]

subject-token

return-token

The ipc and ipc_perm tokens are not included if the semaphore
ID is not valid.

Table A-121 semctl(2) - SETALL command

Event Name

Event ID

Event Class

Mask

AUE_SEMCTL_SETALL

108

ip

0x00000200

Format:

header-token

argument-token (1, "sem ID", semaphore ID)

[ipc-token]

subject-token

return-token

The ipc and ipc_perm tokens are not included if the semaphore ID
is not valid.

Table A-122 semctl(2) - SETVAL command

Event Name

Event ID

Event Class

Mask

AUE_SEMCTL_SETVAL

107

ip

0x00000200

Format:

header-token

argument-token (1, "sem ID", semaphore ID)

[ipc-token]

subject-token

return-token

The ipc and ipc_perm tokens are not included if the semaphore
ID is not valid.

Table A-123 semctl(2) - IPC_STAT command

Event Name

Event ID

Event Class

Mask

AUE_SEMCTL_STAT

101

ip

0x00000200

Format:

header-token

argument-token (1, "sem ID", semaphore ID)

[ipc-token]

subject-token

return-token

Table A-124 semget(2)

Event Name

Event ID

Event Class

Mask

AUE_SEMGET

109

ip

0x00000200

Format:

header-token

[ipc-token]

subject-token

return-token

The ipc and ipc_perm tokens are not included if the system call
failed.

Table A-125 semop(2)

Event Name

Event ID

Event Class

Mask

AUE_SEMOP

110

ip

0x00000200

Format:

header-token

argument-token (1, "sem ID", semaphore ID)

[ipc-token]

subject-token

return-token

The ipc and ipc_perm tokens are not included if the semaphore ID
is not valid.

Table A-126 setaudit(2)

Event Name

Event ID

Event Class

Mask

AUE_SETAUDIT

133

ad

0x00000800

Format
(valid program stack address):

header-token

argument-token (1, "setaudit:auid", audit user ID)

argument-token (1, "setaudit:port", terminal ID)

argument-token (1, "setaudit:machine", terminal ID)

argument-token (1, "setaudit:as_success", preselection mask)

argument-token (1, "setaudit:as_failure", preselection mask)

argument-token (1, "setaudit:asid", audit session ID)

subject-token

return-token

Format (not valid program stack address):

header-token

subject-token

return-token

Table A-127 setauid(2)

Event Name

Event ID

Event Class

Mask

AUE_SETAUID

131

ad

0x00000800

Format:

header-token

argument-token (2, "setauid", audit user ID)

subject-token

return-token

Table A-128 setegid(2)

Event Name

Event ID

Event Class

Mask

AUE_SETEGID

214

pc

0x00000080

Format:

header-token

argument-token (1, "gid", group ID)

subject-token

return-token

Table A-129 seteuid(2)

Event Name

Event ID

Event Class

Mask

AUE_SETEUID

215

pc

0x00000080

Format:

header-token

argument-token (1, "gid", user ID)

subject-token

return-token

Table A-130 old setgid(2)

Event Name

Event ID

Event Class

Mask

AUE_SETGID

205

pc

0x00000080

Format:

header-token

argument-token (1, "gid", group ID)

subject-token

return-token

Table A-131 setgroups(2)

Event Name

Event ID

Event Class

Mask

AUE_SETGROUPS

26

pc

0x00000080

Format:

header-token

[argument-token] (1, "setgroups", group ID)

subject-token

return-token

One argument-token for each group set.

Table A-132 setpgrp(2)

Event Name

Event ID

Event Class

Mask

AUE_SETPGRP

27

pc

0x00000080

Format:

header-token

subject-token

return-token

Table A-133 setregid(2)

Event Name

Event ID

Event Class

Mask

AUE_SETREGID

41

pc

0x00000080

Format:

header-token

arg-token (1, "rgid", real group ID)

arg-token (2, "egid", effective group ID)

subject-token

return-token

Table A-134 setreuid(2)

Event Name

Event ID

Event Class

Mask

AUE_SETREUID

40

pc

0x00000080

Format:

header-token

arg-token (1, "ruid", real user ID)

arg-token (2, "euid", effective user ID)

subject-token

return-token

Table A-135 setrlimit(2)

Event Name

Event ID

Event Class

Mask

AUE_SETRLIMIT

51

ad

0x00000800

Format:

header-token

subject-token

return-token

Table A-136 old setuid(2)

Event Name

Event ID

Event Class

Mask

AUE_OSETUID

200

pc

0x00000080

Format:

header-token

argument-token (1, "uid", user ID)

subject-token

return-token

Because of a current bug in the audit software, this token is
reported as AUE_OSETUID.

Table A-137 shmat(2)

Event Name

Event ID

Event Class

Mask

AUE_SHMAT

96

ip

0x00000200

Format:

header-token

argument-token (1, "shmid", shared memory ID)

argument-token (2, "shmaddr", shared mem addr)

[ipc-token]

[ipc_perm-token]

subject-token

return-token

The ipc and ipc_perm tokens are not included if the shared memory
segment ID is not valid.

Table A-138 shmctl(2) - IPC_RMID command

Event Name

Event ID

Event Class

Mask

AUE_SHMCTL_RMID

92

ip

0x00000200

Format:

header-token

argument-token (1, "shmid", shared memory ID)

[ipc-token]

subject-token

return-token

The ipc and ipc_perm tokens are not included if the shared
memory segment ID is not valid.

Table A-139 shmctl(2) - IPC_SET command

Event Name

Event ID

Event Class

Mask

AUE_SHMCTL_SET

93

ip

0x00000200

Format:

header-token

argument-token (1, "shmid", shared memory ID)

[ipc-token]

[ipc_perm-token]

subject-token

return-token

The ipc and ipc_perm tokens are not included if the shared memory
segment ID is not valid.

Table A-140 shmctl(2) - IPC_STAT command

Event Name

Event ID

Event Class

Mask

AUE_SHMCTL_STAT

94

ip

0x00000200

Format:

header-token

argument-token (1, "shmid", shared memory ID)

[ipc-token]

subject-token

return-token

The ipc and ipc_perm tokens are not included if the shared
memory segment ID is not valid.

Table A-141 shmdt(2)

Event Name

Event ID

Event Class

Mask

AUE_SHMDT

97

ip

0x00000200

Format:

header-token

argument-token (1, "shmaddr", shared mem addr)

subject-token

return-token

Table A-142 shmget(2)

Event Name

Event ID

Event Class

Mask

AUE_SHMGET

95

ip

0x00000200

Format:

header-token

arg-token (0, "shmid", shared memory ID)

[ipc_perm-token]

[ipc-token]

subject-token

return-token

The ipc and ipc_perm tokens are not included for failed events.

Table A-143 shutdown(2)

Event Name

Event ID

Event Class

Mask

AUE_SHUTDOWN

46

nt

0x00000100

Format (if the socket
address is not part of the AF_INET family):

header-token

arg-token (1, "fd", file descriptor)

text-token] ("bad socket address")

text-token] ("bad peer address")

subject-token

return-token

Format (if the socket address is part of the AF_INET family):

header-token

If there is
no vnode for this file descriptor:

[arg-token] (1, "Bad fd", file descriptor)

or if the socket is not bound:

[arg-token (1, "fd", file descriptor)

text-token] ("socket not bound")

or if the socket address length = 0:

[arg-token (1, "fd", file descriptor)

text-token] ("bad socket address")

for all other conditions:

[socket-inet-token] ("socket address")

socket-inet-token ("socket address")

subject-token

return-token

Table A-144 stat(2)

Event Name

Event ID

Event Class

Mask

AUE_STAT

16

fa

0x00000004

Format:

header-token

path-token

[attr-token]

subject-token

return-token

Table A-145 statfs(2)

Event Name

Event ID

EventClass

Mask

AUE_STATFS

54

fa

0x00000004

Format:

header-token

path-token

[attr-token]

subject-token

return-token

Table A-146 statvfs(2)

Event Name

Event ID

Event Class

Mask

AUE_STATVFS

234

fa

0x00000004

Format:

header-token

path-token

[attr-token]

subject-token

return-token

Table A-147 stime(2)

Event Name

Event ID

Event Class

Mask

AUE_STIME

201

ad

0x00000800

Format:

header-token

subject-token

return-token

Table A-148 symlink(2)

Event Name

Event ID

Event Class

Mask

AUE_SYMLINK

21

fc

0x00000010

Format:

header-token

text-token (symbolic link string)

path-token

[attr-token]

subject-token

return-token

Table A-149 sysinfo(2)

Event Name

Event ID

Event Class

Mask

AUE_SYSINFO

39

ad

0x00000800

Format:

header-token

argument-token (1, "cmd", command)

text-token (name)

subject-token

return-token

Table A-150 system booted

Event Name

Event ID

Event Class

Mask

AUE_SYSTEMBOOT

113

na

0x00000400

Format:

header-token

text-token ("booting kernel")

return-token

Table A-151 umount(2) - old version

Event Name

Event ID

Event Class

Mask

AUE_UMOUNT

12

ad

0x00000800

Format:

header-token

path-token

[attr-token]

subject-token

return-token

Table A-152 unlink(2)

Event Name

Event ID

Event Class

Mask

AUE_UNLINK

6

fd

0x00000020

Format:

header-token

path-token

[attr-token]

subject-token

return-token

Table A-153 old utime(2)

Event Name

Event ID

Event Class

Mask

AUE_UTIME

202

fm

0x00000008

Format:

header-token

path-token

[attr-token]

subject-token

return-token

Table A-154 utimes(2)

Event Name

Event ID

Event Class

Mask

AUE_UTIMES

49

fm

0x00000008

Format:

header-token

path-token

[attr-token]

subject-token

return-token

Table A-155 utssys(2) - fusers

Event Name

Event ID

Event Class

Mask

AUE_UTSSYS

233

ad

0x00000800

Format:

header-token

path-token

[attr-token]

subject-token

return-token

Table A-156 vfork(2)

Event Name

Event ID

Event Class

Mask

AUE_VFORK

25

pc

0x00000080

Format:

header-token

argument-token (0, "child PID", pid)

subject-token

return-token

The fork return values are undefined because the audit record is
produced at the point that the child process is spawned.

Table A-157 vtrace(2)

Event Name

Event ID

Event Class

Mask

AUE_VTRACE

36

pc

0x00000080

Format:

header-token

subject-token

return-token

Table A-158 xmknod(2)

Event Name

Event ID

Event Class

Mask

AUE_XMKNOD

240

fc

0x00000010

Format:

header-token

path-token

[attr-token]

subject-token

return-token

Table A-159 xstat(2)

Event Name

Event ID

Event Class

Mask

AUE_XSTAT

235

fa

0x00000004

Format:

header-token

path-token

[attr-token]

subject-token

return-token

User-Level Generated Audit Records

These audit records are created by applications that operate outside the kernel.
The records are sorted alphabetically by program. The description of each record includes:

The name of the program

A man page reference (if appropriate)

The audit event number

The audit event name

The audit record structure

Table A-160 allocate-device success

Event Name

Program

Event ID

Event Class

Mask

AUE_allocate_succ

/usr/sbin/allocate

6200

ad

0x00000800

Format:

header-token

text-token

path-token

subject-token

exit-token

Table A-161 allocate-device failure

Event Name

Program

Event ID

Event Class

Mask

AUE_allocate_fail

/usr/sbin/allocate

6201

ad

0x00000800

Format:

header-token

text-token

subject-token

exit-token

Table A-162 deallocate-device success

Event Name

Program

Event ID

Event Class

Mask

AUE_deallocate_succ

/usr/sbin/deallocate

6202

ad

0x00000800

Format:

header-token

subject-token

newgroups-token

exit-token

Table A-163 deallocate-device failure

Event Name

Program

Event ID

Event Class

Mask

AUE_deallocate_fail

/usr/sbin/deallocate

6203

ad

0x00000800

Format:

header-token

subject-token

newgroups-token

exit-token

Table A-164 allocate-list devices success

Event Name

Program

Event ID

Event Class

Mask

AUE_listdevice_succ

/usr/sbin/allocate

6205

ad

0x00000800

Format:

header-token

subject-token

[group-token]

exit-token

Table A-165 allocate-list devices failure

Event Name

Program

Event ID

Event Class

Mask

AUE_listdevice_fail

/usr/sbin/allocate

6206

ad

0x00000800

Format:

header-token

subject-token

[group-token]

exit-token

Table A-166 at-create crontab

Event Name

Program

Event ID

Event Class

Mask

AUE_at_create

/usr/bin/at

6144

ad

0x00000800

Format:

header-token

subject-token

[group-token]

exit-token

Table A-167 at-delete atjob (at or
atrm)

Event Name

Program

Event ID

Event Class

Mask

AUE_at_delete

/usr/bin/at

6145

ad

0x00000800

Format:

header-token

subject-token

[group-token]

exit-token

Table A-168 at-permission

Event Name

Program

Event ID

Event Class

Mask

AUE_at_perm

/usr/bin/at

6146

ad

0x00000800

Format:

header-token

subject-token

[group-token]

exit-token

Table A-169 crontab-crontab created

Event Name

Program

Event ID

Event Class

Mask

AUE_crontab_create

/usr/bin/crontab

6148

ad

0x00000800

Format:

header-token

subject-token

[group-token]

exit-token

Table A-170 crontab-crontab deleted

Event Name

Program

Event ID

Event Class

Mask

AUE_crontab_delete

/usr/bin/crontab

6149

ad

0x00000800

Format:

header-token

subject-token

[group-token]

exit-token

Table A-171 cron-invoke atjob or crontab

Event Name

Program

Event ID

Event Class

Mask

AUE_cron_invoke

/usr/bin/crontab

6147

ad

0x00000800

Format:

header-token

subject-token

text-token (program)

text-token (shell)

text-token (cmd)

exit-token

Table A-172 crontab-permission

Event Name

Program

Event ID

Event Class

Mask

AUE_crontab_perm

/usr/bin/crontab

6150

ad

0x00000800

Format:

header-token

subject-token

[group-token]

exit-token

Table A-173 halt(1m)

Event Name

Program

Event ID

Event Class

Mask

AUE_halt_solaris

/usr/sbin/halt

6160

ad

0x00000800

Format:

header-token

subject-token

return-token

Table A-174 inetd

Event Name

Program

Event ID

Event Class

Mask

AUE_inetd_connect

/usr/sbin/inetd

6151

na

0x00000400

Format:

header-token

subject-token

text-token (service name)

in_addr-token

iport-token

return-token

Table A-175 init(1m)

Event Name

Program

Event ID

Event Class

Mask

AUE_init_solaris

/sbin/init; /usr/sbin/init; /usr/sbin/shutdown

6166

ad

0x00000800

Format:

header-token

subject-token

text-token (init level)

return-token

Table A-176 ftp access

Event Name

Program

Event ID

Event Class

Mask

AUE_ftpd

/usr/sbin/in.ftpd

6165

lo

0x00001000

Format:

header-token

subject-token

text-token (error message, failure only)

return-token

Table A-177 login - local

Event Name

Program

Event ID

Event Class

Mask

AUE_login

/usr/sbin/login

6152

lo

0x00001000

Format:

header-token

subject-token

text-token (error message)

return-token

Table A-178 login - rlogin

Event Name

Program

Event ID

Event Class

Mask

AUE_rlogin

/usr/sbin/login

6155

lo

0x00001000

Format:

header-token

subject-token

text-token (error message)

return-token

Table A-179 login - telnet

Event Name

Program

Event ID

Event Class

Mask

AUE_telnet

/usr/sbin/login

6154

lo

0x00001000

Format:

header-token

subject-token

text-token (error message)

return-token

Table A-180 logout

Event Name

Program

Event ID

Event Class

Mask

AUE_logout

/usr/sbin/login

6153

lo

0x00001000

Format:

header-token

subject-token

text-token

return-token

Table A-181 mount

Event Name

Program

Event ID

Event Class

Mask

AUE_mountd_mount

/usr/lib/nfs/mountd

6156

na

0x00000400

Format:

header-token

arg-token

text-token (remote client hostname)

path-token (mount dir)

attribute-token

path-token

attribute-token

subject-token

return-token

Table A-182 unmount

Event Name

Program

Event ID

Event Class

Mask

AUE_mountd_umount

/usr/lib/nfs/mountd

6157

na

0x00000400

Format:

header-token

path-token (mount dir)

attribute-token

subject-token

return-token

Table A-183 passwd

Event Name

Program

Event ID

Event Class

Mask

AUE_passwd

/usr/bin/passwd

6163

lo

0x00001000

Format:

header-token

subject-token

text-token (error message)

return-token

Table A-184 poweroff(1m)

Event Name

Program

Event ID

Event Class

Mask

AUE_poweroff_solaris

/usr/sbin/poweroff

6169

ad

0x00000800

Format:

header-token

subject-token

return-token

Table A-185 reboot(1m)

Event Name

Program

Event ID

Event Class

Mask

AUE_reboot_solaris

/usr/sbin/reboot

6161

ad

0x00000800

Format:

header-token

subject-token

return-token

Table A-186 rexd

Event Name

Program

Event ID

Event Class

Mask

AUE_rexd

/usr/sbin/rpc.rexd

6164

lo

0x00001000

Format:

header-token

subject-token

text-token (error message, failure only)

text-token (hostname)

text-token (username)

text-token (command to be executed)

exit-token

Table A-187 rexecd

Event Name

Program

Event ID

Event Class

Mask

AUE_rexecd

/usr/sbin/in.rexecd

6162

lo

0x00001000

Format:

header-token

subject-token

text-token (error message, failure only)

text-token (hostname)

text-token (username)

text-token (command to be executed)

exit-token

Table A-188 rsh access

Event Name

Program

Event ID

Event Class

Mask

AUE_rshd

/usr/sbin/in.rshd

6158

lo

0x00001000

Format:

header-token

subject-token

text-token (command string)

text-token (local user)

text-token (remote user)

return-token

Table A-189 shutdown(1b)

Event Name

Program

Event ID

Event Class

Mask

AUE_shutdown_solaris

/usr/ucb/shutdown

6168

ad

0x00000800

Format:

header-token

subject-token

return-token

Table A-190 su

Event Name

Program

Event ID

Event Class

Mask

AUE_su

/usr/bin/su

6159

lo

0x00001000

Format:

header-token

subject-token

text-token (error message)

return-token

Table A-191 admin(1m)

Event Name

Program

Event ID

Event Class

Mask

AUE_uadmin_solaris

/sbin/uadmin; /usr/sbin/uadmin

6167

ad

0x00000800

Format:

header-token

subject-token

text-token (function)

text-token (argument)

return-token

Event-to-System Call Translation

Table A-192 associates an audit event name with the system
call or kernel event that created it. Table A-193 associates
an audit event with the application or command that generated it.